Data API Authentication

SingleStore's Data API uses Basic and Bearer Authentication standards. You can also use JWTs for password-less access to the database with Bearer Authentication. To authenticate via JWTs, specify the JWT in the Bearer Authorization header. For successful authentication, the JWT must be signed using a key listed in the JWKS that is fetched from the jwks_endpoint in the engine. See Authenticate via JWT for more information.

To enable JWT-based authentication on SingleStoreDB Cloud,

  • Configure the JWKS endpoint. Set the jwks_endpoint variable on the database server.

  • Make a HTTP request to the /api/v2/jwks_setup endpoint using the POST method.

A user agent can authenticate with the server by sending its credentials in an Authorization request header. The Authorization header contains the authentication method (Basic or Bearer) followed by a space and then the authentication information constructed from a Base-64 encoded string username:password|JWT.

Authorization: [Basic | Bearer] <Base-64 encoded username:password|JWT>

For example, the Basic Authorization header for the username demo and password Afu4XjzB1ns would appear as follows, where ZGVtbzpBZnU0WGp6QjFucw== is the Base-64 encoding of the demo:Afu4XjzB1ns string.

Authorization: Basic ZGVtbzpBZnU0WGp6QjFucw==

If the server requires the user agent to authenticate itself after receiving an unauthenticated request, it will respond with a 401 Unauthorized status and the WWW-Authenticate header.


When using a third-party SQL client or development tool, you must first add a database user to log into a SingleStoreDB Cloud database.


As the Basic and Bearer Authentication methods transfer the username and password (or JWTs) over the network in clear text, it must be used in conjunction with HTTPS/SSL for added security. The production usage of SingleStore's Data API should only take place with SSL (HTTPS) enabled to ensure that the authentication information is secure.

Last modified: May 5, 2023

Was this article helpful?